Archive

I immediately looked on Snopes when I saw this raw image as I just couldn’t understand how on Earth someone thought this was a good idea:

Put a clear plastic bag with a fake bomb contained within in conspicuous spaces of a public mall with a "public service message" written on the front. The point was to suggest that with a little attention to detail, people can avert a tragedy.

The message reads:

It’s this obvious if you are alert. If you spot anything suspicious, please inform security.
Dummy Explosives
A public service initiative by R Mall

So, if I see a bag that contains an explosive, I should get close enough to read the tagline that says "Boom! You’re Dead!?"

In Boston our police force blew up little aqua teen hunger force brite-lites that were part of an advertising stunt. Could you imagine what the hell they’d do with this?

I read ZDNet’s coverage of the Wharton Technology Conference in Philadelphia by Larry Dignan and was astounded by what Larry reported was said in regards to comments made by TD Ameritrade’s Chief Security Officer, Bill Edwards.

I’m not trying to pick on Mr. Edwards as I have never met the man, but his comments regarding SOA left me disillusioned about how security and emerging technologies are approached in what continues to be a purely reactive, naive and disconnected manner.

Specifically, SOA is not exactly "new." The evolution of technology, maturing of standards, proliferation of Web 2.0 and massive deployments of SOA’s in some of the world’s largest companies shouldn’t come as a surprise to anyone…even in the risk averse financial services sector. That being said, SOA is disruptive and innovative and needs to be approached both strategically as well as tactically.

As a former CISO of a $25 Billion financial services firm, I was embroiled in our first SOA deployments 2.5 years ago. It’s blood and guts. It involves dealing with the business, business partners, IT and development staffs in ways you never have. It takes communication, education, expertise and business acumen. It’s not something you wait to be dragged into.

The notion that a security team would be "dragged" into SOA rather than embrace and approach it proactively and from the perspective of a thought leader and collaborative contributor astounds me.

That said, here’s what I had a problem with:

TD Ameritrade Chief Security Officer Bill Edwards figures that he’s
going to be pulled onto the service oriented architecture (SOA)
bandwagon soon. He might as well use it to enhance security.

"When the architects approached me about SOA my first reaction was ‘no
you can’t do that,’" said Edwards, who spoke at a financial services
online fraud panel at Wharton Technology Conference in Philadelphia on
Friday. "But then I realized I’m going to be dragged along with SOA
anyway so I should use it to rebuild security from the ground up. I
know it’s coming so my team got friendly with the architecture group."

What disturbs me is that SOA represents potentially monumental impact to business, technology and security and instead of embracing (see below) this in a proactive manner, the ad hoc formation of a "strategic" response is "…if you can’t beat ’em, join ’em" and perhaps leverage this to fix problems that weren’t fixed prior.

Paying for sins of the past with currency of the future and confusion in the present isn’t exactly showing alignment to the business as an enabler. But that’s just me.

It’s clear that the first reaction of saying "no, you can’t do that" is so incredibly typical and representative of the security industry in general; fear what you don’t understand and can it. I can’t imagine how making decisions on risk without an effective model is doing the business justice.

Realizing that this is a train on the tracks that can’t be ducked and that he’s going to be "dragged along with SOA" and that something must be done to head off disaster at the pass (or at least get more budget,) I’m having trouble reconciling this:

"SOA is going to be embraced by security. I don’t know if the industry
is ready for security on SOA, but I’m looking forward to it as it will
make my job easier," he said. "SOA allows you to get granular on
security and focus on specific modules."

I am really having trouble understanding whether this is a statement or a question, but I just cannot comprehend how much sense that last sentence fails to make.

You’re not embracing SOA when you describe being "dragged into it" and your first reaction is "no." Further, if you’re deploying SOA and you’re not baking in security, you should be fired.

Secondly, Explain to me how SOA is going to make security (his job) easier? Because you can get "granular on security?" Huh? SOA is complex. If you don’t have your "stuff" together in the first place, it’s only going to make your life more difficult.

I’m sorry for this reading like I’m a grumpy bastard (I am) and that I’m singling out Mr. Edwards (he chose to be on a panel) but this just doesn’t jive.

My advice to Mr. Edwards and anyone else looking for the right approach to take with SOA and security is to read Gunnar Peterson’s blog or some more of his work.

Over the last couple of months, the topic of virtualization and security (or lack thereof) continues to surface as one of the more intriguing topics of relevance in both the enterprise and service provider environments and those who cover them. From bloggers to analysts to vendors, virtualization is a greenfield for security opportunity and a minefield for the risk models used to describe it.

There are many excellent arguments being discussed which highlight in an ad hoc manner the most serious risks posed by virtualization, and I find many of them accurate, compelling, frightening and relevant. However, I find that overall, to gauge in relative terms the impact that these new combinations of attack surfaces, vectors and actors pose, the risk model(s) are immature and incomplete.

Most of the arguments are currently based on hyperbole and anecdotal references to attacks that could happen. It reminds me much of the ballyhooed security risks currently held up for scrutiny for mobile handsets. We know bad things could happen, but for the most part, we’re not being proactive about solving some of the issues before they see the light of day.

The panel I was on at the RSA show highlighted this very problem. We had folks from VMWare andRedHat in the audience who assured us that we were just being Chicken Little’s and that the risk isboth quantifiable and manageable today. We also had other indications that customers felt that while the benefits for virtualization from a cost perspective were huge, the perceived downside from the unknown risks (mostly theoretical) were making them very uncomfortable.

Out of the 150+ folks in the room, approximately 20 had virtualized systems in production roles. About 25% of them had collapsed multiple tiers of an n-tier application stack (including SOA environments) onto a single host VM. NONE of them had yet had these systems audited by any third party or regulatory agency.

Rot Roh.

The interesting thing to me was the dichotomy regarding the top-down versus bottom-up approach todescribing the problem. There was lots of discussion regarding hypervisor (in)security and privilege escalation and the like, but I thought it interesting that most people were not thinking about the impact on the network and how security would have to change to accommodate it from a bottoms-up (infrastructure and architecture) approach.

The notions of guest VM hopping and malware detection in hypervisors/VM’s are reasonably well discussed (yet not resolved) so I thought I would approach it it from the perspective of what role, if any, the traditional network infrastructure plays in this.

Thomas Ptacek was right when he said "…I also think modern enterprises are so far from having reasonable access control between the VLANs they already use without virtualization that it’s not a “next 18 month” priority to install them." And I agree with him there. So, I posit that if one accepts this as true then what to do about the following:

If now we see the consolidation of multiple OS and applications on a single VM host in which the bulk of traffic and data interchange is between the VM’s themselves and utilize the virtual switching fabrics in the VM Host and never hit the actual physical network infrastructure, where, exactly, does this leave the self-defending "network" without VM-level security functionality at the "micro perimeters" of the VM’s?

I recall a question I asked at a recent Goldman Sachs security conference where I asked Jayshree Ullal from Cisco who was presenting Cisco’s strategy regarding virtualized security about how their approach to securing the network was impacted by virtualization in the situation I describe above.

You could hear cricket’s chirp in the answer.

Talk amongst yourselves….

P.S. More excellent discussions from Matasano (Ptacek) here and Rothman’s bloggy. I also recommend Greg Ness’ commentary on virtualization and security @ the HyperVisor here.

I was talking to Andy Jaquith (please buy his book, I’m tired of buying him drinks) tonight at BeanSec! and recalled an ad hoc conversation I had with Rothman the other day in regards to just how damned boring the security space has become in the last year.

I know it’s not just me (now) that senses an overall slow down in the amount of forward motion our industry is making. This isn’t suggesting that there isn’t innovation and technology movement, it’s just that we seem to be solving the same set of problems from twenty years ago and perfuming a pig.

I walked through RSA this year and short of Veracode’s booth (OK, they offered me beer) it may as well have been a Shriner’s convention.

How many NAC vendors does it take to fill an RSA conference? None, because according to Art (he’s on Crossbeam’s board, but I respectfully disagree) there aren’t going to be any independent security companies. Yet I digress.

"Sadly," we haven’t really had an exciting worm or virus outbreak recently. Patch Tuesdays are almost non-events and unless someone releases a zero-day remote exploit for controlling the UHF output on a Commodore 64, I think I’m just going to die of boredom. Snore.

Help me out here. Redeem our industry and help me regain my will to live. Pop some comments on your perspectives of what’s worth looking at from a security perspective — I mean cool, unique, innovative and problem-solving focused security solutions to really complex business problems.

It’s no great secret that from a strategic perspective (or a tactical implementation slant, either) I am not a fan of Cisco’s security vision or execution. Right, wrong or indifferent, I simply don’t believe that Cisco is a security company and just because security can (and will continue to) make its way deeper into the network fabric doesn’t mean it should.

Yawn.

I have consistently focused on the fact that pushing more and more security into the network will lead to a security monoculture and last week’s multiple vulnerabilities across Cisco’s network and security products was further indication that I think we’re heading for a car crash of epic proportions one day soon. This is where a single vendor’s version of the truth is a bad thing as defense in breadth is not the same as defense in depth.

The takeaway, I think, is that no single tool vendor comes
at security without a bias. You can hardly blame Cisco from approaching
security at the network level, just as Microsoft approaches it from the
desktop level. When you listen to vendors talk about "enterprise
security," then, it pays to read between the lines. Sometimes what they
don’t say is as important as what they say.

But that’s just it — approaching security from the network level only (from the bottom up) without a coherent strategy on how to approach it from the data and application perspective (top down) means you get a disjointed and purely mechanical threat and vulnerability-focused set of security "tools."

I think it’s a fair thing to say that all vendors (even *gasp* me) are biased, but I think Tim’s article nicely summed up how lacking Cisco’s "end-to-end" strategy is:

Data/Database Security

Portable Device Security

Security Research/Threat Analysis

Application Security

Multi-factor Authentication

I don’t think there is any vendor who has this straight, but for some reason folks have a predilection towards suggesting that Cisco — due mostly to port coverage — does.

Security is more than an L2 access switch ports or router shipments or n acquisition or ten and a cram-down of commoditizing functions into switches. I’m not arguing that Cisco doesn’t have a strategy, but can’t we just all admit that bumping around in the dark and "investing" in incoherent and non-consolidated solution sets does not a robust security play make?

Why do I keep harping on this? Because someone has to and more and more customers are really starting to question the big green monster’s competencies.

Speaking of which, Cisco announced today it’s acquisition of Reactivity — an XML security play the likes of which competes with Datapower and Forum Systems.

They announced yet another acquisition of Relativity this morning (release here).
Only $135 million for this one, on what is probably minimal revenue.This continues Cisco’s assault on security, moving up the stack.Relativity makes an XML gateway (yes, it’s a box) that does some
hygiene on XML traffic (encryption, filtering, authentication,
acceleration, etc.). Of course, this market is really early and there
were only maybe 2 or 3 other players (Forum and Vordel come to mind).
But let’s be very clear, Cisco intends to be a player at the
application layer. And they are flexing their checkbook to get there.

…a couple of comments:

1) The only thing I think that this is an assault on is the further dilutive effect this will have on the XML gateway "market" as it becomes a feature rather than a market via acquisition. Up or down the stack, Cisco isn’t early to this game, they are late…by about 2 years.

2) The XML gateway market isn’t early at all. It’s waning as the "market" becomes a feature and this technology is absorbed into the convergence of the web application firewall (WAF) and application delivery controller (ADC) markets.

The adoption of XML security products at large has been hindered by the complexity of the SOA architectures into which most of these products were/are intended for deployment. Most security companies (integrators, resellers, consultants) don’t have a clue about how or who to speak to in regards to XML. Most can barely spell it.

3) Cisco intends to be a player in every market else they wouldn’t enter it. They’ll just botch it up and stumble their way through mediocrity and claim success as measured by drawing a circle around their feet as victory and a well executed strategy.

However, they’re not infallible and as I’ve said before, just look at the cracks in the armor. AON — which was supposed to replace the middle tier and collapse the complexity of SOA — has itself collapsed and become absorbed into the fringes of a converged security strategy.

One of the benefits of living near Boston is the abundance of amazing museums and historic sites available for visit within 50 miles from my homestead.

This weekend the family and I decided to go hit the Museum of Science for a day of learning and fun.

As we were about to leave, I spied an XP-based computer sitting in the corner of one of the wings and was intrigued by the sign on top of the monitor instructing any volunteers to login:

Then I noticed the highlighted instruction sheet taped to the wall next to the machine:

If you’re sharp enough, you’ll notice that the sheet instructs the volunteer how to remember their login credentials — and what their password is (‘1234’) unless they have changed it!

"So?" you say, "That’s not a risk. You don’t have any usernames!"

Looking to the right I saw a very interesting plaque. It contained the first and last names of the museum’s most diligent volunteers who had served hundreds of hours on behalf of the Museum. You can guess where this is going…

I tried for 30 minutes to find someone (besides Megan Crosby on the bottom of the form) to whom I could suggest a more appropriate method of secure sign-on instructions. The best I could do was one of the admission folks who stamped my hand upon entry and ended up with a manager’s phone number written on the back of a stroller rental slip.

Firstly, I think that’s great, because as I agreed, the natural
evolution of (Enterprise) UTM includes the integration of functionality such as NAC, VA/VM, etc., and StillSecure’s
products are top-notch, so I expect another excellent product from the
boys from Colorado.

I also know that Alan and Mitchell really know
their market well and do a fantastic job with product management and
marketing within this space. But Alan/Mitchell’s announcement has me puzzled because there’s some serious amount
of verbiage being tossed about here that’s ignoring a whole lot of reality that even the best marketing distortion field can’t obfuscate.

I found it interesting on Alan’s blog
that actually what he meant to say is that StillSecure intends to bring
a “new” type of product to market that isn’t described as UTM at all –
in fact, Mitchell Ashley (StillSecure’s CTO – and hopefully he won’t
get mad when I call him a friend) is attempting to define both a new paradigm and market segment that they call Unified Network
Platform, or UNP. See here for Mitchell’s whitepaper and description of UNP.

UNP should not, however, be confused with UPN, the television network that brought you such hits as “Moesha.“

UNP is defined as "…a new paradigm for addressing the needs of network and security functions. Breaking the mold of the proprietary vendor hardware appliance solution, UNP provides an open platform architecture consisting of open software and general purpose hardware, enabling the convergenceof network applications."

The Model is illustrated graphically by this diagram which looks surprisingly similar to the Carrier Grade Linux group’s model and almost identical to the Crossbeam X-Series architecture:

Clever marketing, for sure, but as I pointed out to Alan at the
Smackdown, short of the new title, neither the model nor the approach
is new at all. In many aspects of how Alan described his new product line, it’s exactly what we do @ Crossbeam. I was intrigued, for sure.

Apart from some semantic issues surrounding the use of open source
to the exclusion of COTS and swearing off any potential benefits of optimized hardware, Mitchell’s definition of UNP attempts to
re-brand concepts and a technology approach that’s quite familiar to me.

The model as defined by Mitchell seems to lay claim to an operational and technology integration
model that has been defined already as the foundation for Next
Generation Networks (NGN) that is at the core of the designs
IMS/converged network working groups (and VMWare’s virtual appliance
model for that matter) and call it UNP.

Who gives a crap!? If the cost of a product and its positioning within the network is justified by the performance, scale, availability of software choice as defined by the user and the appropriate reduction of risk, then it seems to me that the only people who need to make the argument complaining about "proprietary" hardware are those that don’t have any…

I agree that the advance of OTS hardware and multi-core technology is yielding amazing value for the dollar spent and much of the hardware solutions today are commoditized at birth, but I maintain that there is a point of diminishing returns at which even today’s multi-core processors experience limits of memory and I/O (not to mention the ability of the software itself to take advantage of) that is specific to the market into which solutions are designed to operate.

You’ll get no argument from me that software is the secret sauce in the
security space and even in Crossbeam’s case, the hardware is a means to
an end, so if integrating FPGA’s and optimized network processing
hardware provides for hyper-performance of standard Intel reference
designs, ‘splain to me how that’s a bad thing?

I suggest that UNP is an interesting perspective and sheds light
on the “convergence” of security functionality and virtual appliances
for the SME/SMB market, but new it ain’t, and this sort of solution does not fly in the large enterprise, service provider or mobile operator. It’s also a little odd and
naive to suggest that this is a “network” platform approach that will
rival dedicated networking functions at anything but the SME/SMB level.

Now, I’m not trying to assail Mitchell’s efforts or creativity here,
nor am I suggesting that this is not an interesting way to try and
distance StillSecure from the other 1000 me-too FW, nee IPS nee
small-office UTM fray, but there’s also a danger in trying to create
distinction in an already acronym-burdened industry and come off
looking like your doing something completely new.

I had a point-by-point response to Mitchell’s summary points of his whitepaper, but as I reviewed it I realized that this would come across as one of those enormous Hoff posts — not to mention it read as a Crossbeam versus StillSecure manifesto…and given that Alan’s into his kinder, gentler stage, I reckoned I’d give it a go, too.

I’ll be heading to Barcelona for the 2007 3GSM World Congress. No speaking engagements, but much to Alan’s delight and to avert more disgust regarding objectifying women in the security industry, we’ve opted not for booth babes, but instead, I’ll be parading around our booth in a thong with a 1990’s Motorola StarTac duct-taped to my head.

I apologize in advance.

If you happen to be in Barcelona or Madrid (later in the week,) please let me know. I’ll buy you a beer (or Sangria.)

Back from Africa. Successfully summited both Mt. Meru and Mt. Kilimanjaro. Pictures and war stories later.

Now that’s out of the way, I’m back to "work" this week @ the RSA Conference in San Francisco. I’ll be there all week (from Tuesday on) so pop me an email (choff[at]crossbeamsys.com) or call me and we can get together if anyone likes.

I’m on two panels; both ought to be good given the participants and the moderators.I’m especially looking forward to the UTM Smackdown session for some reason. It’s like a fraternity reunion…without the beer.

Virtualization technologies promise better utilization of managing and
provisioning computer resources within an organization, but the concept
of virtualization can make security managers nervous. This panel of
experts will discuss security technologies in the “virtualized” world.
Specific topics include: understanding virtual machine technology in
light of security issues and threat models; advances in virtualization
technologies which improve your security posture; case studies of
organizations who have leveraged virtualization successfully; and
strategies for effective compliance in virtualized environments.

With all the UTM choices available, how is an organization supposed to
pick the right solution? This no-holds barred panel assembles four UTM
CTO’s to debate hot buttons, such as the need for purpose-built
appliances, and the role of integrated management. This presentation
will also examine appropriate solutions for small and large enterprises.